Hydra - make builder use ssh private key

I started a Hydra service on NixOS. I succesfully added a project that checks out a private git repository by adding the ssh key to the hydra user’s .ssh folder, but when that actual jobs run they fail with:

<3>exporting <GIT_URL> (rev <COMMIT>) into <STORE_PKG_PATH>
<3>Initialized empty Git repository in <STORE_PKG_PATH>/.git/
<3>No user exists for uid 1000
<3>fatal: Could not read from remote repository.
<3>Please make sure you have the correct access rights
<3>and the repository exists.
<3>No user exists for uid 1000
<3>fatal: Could not read from remote repository.
<3>Please make sure you have the correct access rights
<3>and the repository exists.
<3>Unable to checkout <COMMIT> from <GIT_URL>
<3>builder for <NIX_STORE_PATH> failed with exit code 1

even though I added the key to all 3 users hydra, hydra-queue-runner and root and tested with all 3 of them that they are indeed able to clone the repo.

The job expressions reference the git repository by calling fetchgit.

I now came across this thread from 2017.
Even though in it they’re using fetchgitPrivate, it points out possible causes for my issue.

Most likely the builds being run by nixbldX users or one of the restrictions of sandboxed mode.

The resolution of the thread was that you basically want to pass the private repo sources as inputs to your build and let hydra fetch them for you.

This doesn’t feel too nice as I don’t see the reason why private repos should be handled differently from publicly accessible ones so if anyone has a more up to date solution feel free to share any ideas.

Related github issue 43583 - Add private option to fetchFromGitLab

I recommend using builtins.fetchGit. It will use the SSH configuration of the user invoking the build. In a project of mine I am now converting all uses of nixpkgs.fetchgitPrivate to builtins.fetchGit.

1 Like

That’s exactly what I was trying to use today.
But then the evaluation phase fails with

hydra-eval-jobs returned exit code 1:
error: access to URI '<URL>' is forbidden in restricted mode

in your nixos config you can specify:

nix.extraOptions = ''
  allowed-uris = <space separated list of uris>

after which nixos-rebuild switch will complain with:

warning: unknown setting 'allowed-uris'

which is confusing cause after restarting:

systemctl restart hydra-evaluator.service
systemctl restart hydra-queue-runner.service

the evaluation succeeds.

It is not clear to me though why builtins.fetchGit is restricted while all other methods get to access repos without any restrictions (just immagine listing the urls used by nixpkgs).

The difference is between whether the fetching is done by the evaluator or as a build step. builtins.fetchGit and builtins.fetchTarball are typically executed during evaluation because their purpose is to fetch Nix expressions. On the other hand, nixpkgs.fetchurl and nixpkgs.fetchgit are typically executed as a build.